http://techcrunch.com/2011/10/06/zero-day-vulnerability-on-american-express-website-now-closed/ By Sarah Perez TechCrunch Oct 6, 2011 American Express say it shut down the webpage that left a portion of its website open for anyone to access in what’s being a called a zero-day security vulnerability, the company says in statement. The security issue was first discovered by developer Niklas Femerstrand, who attempted to reach out to American Express via Twitter in the hopes of being pointed to an email address he could use to send the company further details regarding the issue. The seemingly confused Twitter rep asked him whether he was an Amex cardholder and offered him a phone number to call, despite his objections to contacting Amex via phone, fax or physical mail. In frustration, Femerstrand published the details to his blog instead. According to the blog post (also featured here on Hacker News), Femerstrand discovered that American Express developers had accidentally left an administration panel for website debugging accessible, potentially leaving it open to XSS attacks. “Hackers could inject a cookie stealer combined with jQuery’s .hide() and harvest cookies which can, ironically enough, be exploited by using the admin panel provided by sloppy American Express developers,” wrote Femerstrand on his blog post. He also demonstrated a proof-of-concept attack. [...] _____________________________________________________________ FINAL CALL to register #HITB2011KUL - Asia's premier deep-knowledge network security event now in it's 9th year! http://conference.hitb.org/hitbsecconf2011kul/Received on Fri Oct 07 2011 - 00:35:50 PDT
This archive was generated by hypermail 2.2.0 : Fri Oct 07 2011 - 00:42:55 PDT